CLAIMS 

What is claimed is: 



1 1 . A computer system providing Intemet protocol security without secure domain name 

2 resolution, the system comprising: 

3 a local domain name service (DNS) server that is communicatively coupled to a 

4 processor and that includes a secure Intemet security protocol (IPSEC) cache, 

5 wherein the secure IPSEC cache is readable only by an Intemet protocol (IP) 

6 processing layer of an operating system that controls execution of an 

7 application program by the processor; 

8 a security policy data store that is communicatively coupled to the IP processing 

9 layer; 

10 a computer-readable medium accessible to the processor and comprising one or more 

1 1 sequences of instructions which, when executed by the processor, cause the 

12 processor to carry out the steps of : 

13 receiving a message generated as a result of execution of the application 

14 program and that contains a domain name; 

15 searching the secure IPSEC cache for an entry that matches the domain name; 

16 querying the security policy data store for an IPSEC policy matching the 

17 domain name; 

18 applying the IPSEC policy to the message; and 

1 9 purging the matching entry from the cache. 

12. A computer system as recited in Claim 1 , wherein the secure IPSEC cache comprises 

2 a plurality of cache entries, wherein each cache entry comprises a DNS name, one or 

3 more corresponding IP addresses, and information that uniquely associates the cache 

4 entry with a particular application process or execution time. 
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1 3. A computer system as recited in Claim 2, wherein the step of searching the secure 

2 BPSEC cache further comprises the step of searching the secure IPSEC cache for an 

3 entry that matches a process identifier of the application program, based on the 

4 information that uniquely associates the cache entry with a particular application 

5 process or execution time. 

14. A computer system as recited in Claim 2, wherein the information that uniquely 

2 associates the cache entry with a particular application process or execution time 

3 comprises a process identifier value and a transaction identifier value. 

1 5. A computer system as recited in Claim 4, wherein the step of searching the secure 

2 IPSEC cache further comprises the step of searching the secure IPSEC cache for an 

3 entry that matches a process and transaction associated with the application program, 

4 based on the process identifier value and transaction identifier value in the cache. 

16. A computer system as recited in Claim 1, further comprising the step of querying the 

2 security policy database for an IPSEC policy based on an IP address that is resolved 

3 from the domain name received from the application program only when a matching 

4 cache entry is not found by searching the cache based on the domain name. 

17. A computer system as recited in Claim 1 , further comprising the steps of: 

2 receiving a request to resolve a DNS name into network addresses; 

3 resolving the DNS name using the local DNS server, resulting in generating one or 

4 more network addresses corresponding to the DNS name; 

5 determining identifier information that uniquely associates the request with a 

6 particular application process or execution time; and 

7 storing the DNS name, the network addresses, and the identifier information as an 

8 entry in the secure IPSEC cache. 
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18. A method for providing Internet protocol security without secure domain name 

2 resolution, the method comprising the computer-implemented steps of: 

3 receiving a message generated as a result of execution of an application program and 

4 that contains a domain name; 

5 searching a secure Intemet security protocol (IPSEC) cache for an entry that matches 

6 the domain name, wherein the secure ff SEC cache is communicatively 

7 coupled to a local domain name service (DNS) server, and wherein the secure 

8 IPSEC cache is readable only by an Intemet protocol (IP) processing layer of 

9 an operating system that controls execution of the application program;; 

10 querying a security policy data store that is communicatively coupled to the IP 

1 1 processing layer for an IPSEC policy matching the domain name; 

1 2 applying the IPSEC policy to the message; and 

13 purging the matching entry from the cache. 

19, A method as recited in Claim 8, wherein the secure IPSEC cache comprises a 

2 plurality of cache entries, wherein each cache entry comprises a DNS name, one or 

3 more corresponding IP addresses, and information that uniquely associates the cache 

4 entry with a particular application process or execution time. 

1 10. A method as recited in Claim 9, wherein the step of searching the secure IPSEC cache 

2 further comprises die step of searching the secure IPSEC cache for an entry that 

3 matches a process identifier of the application program, based on the information that 

4 uniquely associates the cache entry with a particular application process or execution 

5 time. 

1 11. A method as recited in Claim 9, wherein the information that uniquely associates the 

2 cache entry with a particular application process or execution time comprises a 

3 process identifier value and a transaction identifier value. 
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1 12. A method as recited in Claim 1 1 , wherein the step of searching the secure IPSEC 

2 cache further comprises the step of searching the secure IPSEC cache for an entry that 

3 matches a process and transaction associated with the application program, based on 

4 the process identifier value and transaction identifier value in the cache. 

1 13. A method as recited in Claim 8, further comprising the step of querying the security 

2 policy database for an IPSEC policy based on an IP address that is resolved from the 

3 domain name received from the application program only when a matching cache 

4 entry is not found by searching the cache based on the domain name. 

1 14. A method as recited in Claim 8, further comprising the steps of: 

2 receiving a request to resolve a DNS name into network addresses; 

3 resolving the DNS name using the local DNS server, resulting in generating one or 

4 more network addresses corresponding to the DNS name; 

5 determining identifier information that uniquely associates the request with a 

6 particular application process or execution time; and 

7 storing the DNS name, the network addresses, and the identifier information as an 

8 entry in the secure BPSEC cache. 

1 15. A computer-readable medium carrying one or more sequences of instructions for 

2 providing Intemet protocol security without secure domain name resolution, which 

3 instructions, when executed by one or more processors, cause the one or more 

4 processors to carry out the steps of: 

5 receiving a message generated as a result of execution of an application program and 

6 that contains a domain name; 
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7 searching a secure Internet security protocol (IPSEC) cache for an entry that matches 

8 the domain name, wherein the secure IPSEC cache is communicatively 

9 coupled to a local domain name service (DNS) server, and wherein the secure 

10 IPSEC cache is readable only by an Internet protocol (IP) processing layer of 

1 1 an operating system that controls execution of the application program;; 

1 2 querying a security policy data store that is communicatively coupled to the IP 

1 3 processing layer for an IPSEC policy matching the domain name; 

14 applying the PSEC policy to the message; and 

15 purging the matching entry from the cache. 

1 16. A computer-readable medium as recited in Claim 15, wherein the secure IPSEC cache 

2 comprises a plurality of cache entries, wherein each cache entry comprises a DNS 

3 name, one or more corresponding IP addresses, and information that uniquely 

4 associates the cache entry with a particular application process or execution time. 

1 17. A computer-readable medium as recited in Claim 16, wherein the step of searching 

2 the secure IPSEC cache further comprises the step of searching the secure IPSEC 

3 cache for an entry that matches a process identifier of the application program, based 

4 on the information that uniquely associates the cache entry with a particular 

5 application process or execution time. 

1 18. A computer-readable medium as recited in Claim 17, wherein the information that 

2 uniquely associates the cache entry with a particular application process or execution 

3 time comprises a process identifier value and a transaction identifier value. 

1 19. A computer-readable medium as recited in Claim 1 8, wherein the step of searching 

2 the secure IPSEC cache farther comprises the step of searching the secure IPSEC 

3 cache for an entry that matches a process and transaction associated with the 

4 application program, based on the process identifier value and transaction identifier 

5 value in the cache. 
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1 20. A computer-readable medium as recited in Claim 15, further comprising the step of 

2 querying the security policy database for an IPSEC policy based on an IP address that 

3 is resolved from the domain name received from the application program only when a 

4 matching cache entry is not found by searching the cache based on the domain name, 

1 21 . A computer-readable medium as recited in Claim 15, further comprising the steps of: 

2 receiving a request to resolve a DNS name into network addresses; 

3 resolving the DNS name using the local DNS server, resulting in generating one or 

4 more network addresses corresponding to the DNS name; 

5 determining identifier information that uniquely associates the request with a 

6 particular application process or execution time; and 

7 storing the DNS name, the network addresses, and the identifier information as an 

8 entry in the secure IPSEC cache. 

1 22. An apparatus for providing Intemet protocol security without secure domain name 

2 resolution, comprising: 

3 means for receiving a message generated as a result of execution of an application 

4 program and that contains a domain name; 

5 means for searching a secure Intemet security protocol (IPSEC) cache for an entry 

6 that matches the domain name, wherein the secure IPSEC cache is 

7 communicatively coupled to a local domain name service (DNS) server, and 

8 wherein the secure IPSEC cache is readable only by an Intemet protocol (IP) 

9 processing layer of an operating system that controls execution of the 

10 application program;; 

1 1 means for querying a security policy data store that is communicatively coupled to 

12 the IP processing layer for an IPSEC policy matching the domain name; 

1 3 means for applying the IPSEC policy to the message; and 

1 4 means for purging the matching entry from the cache. 
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1 23. An apparatus for providing Internet protocol security, without secure domain name 

2 resolution, for messages that are carried by a packet-switched data network, 

3 comprising: 

4 a network interface that is coupled to the data network for receiving one or more 

5 packet flows therefrom; 

6 a processor; 

7 one or more stored sequences of instructions which, when executed by the processor, 

8 cause the processor to carry out the steps of: 

9 receiving a message generated as a result of execution of an application 

10 program and that contains a domain name; 

1 1 searching a secure Intemet security protocol (IPSEC) cache for an entry that 

1 2 matches the domain name, wherein the secure IPSEC cache is 

1 3 communicatively coupled to a local domain name service (DNS) 

14 server, and wherein the secure IPSEC cache is readable only by an 

15 Intemet protocol (IP) processing layer of an operating system that 

16 controls execution of the application program;; 

17 querying a security policy data store that is communicatively coupled to the IP 

1 8 processing layer for an IPSEC policy matching the domain name; 

19 applying the IPSEC policy to the message; and 

20 purging the matching entry from the cache. 
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